LOW: Auto-generated encryption key stored in same SQLite database as encrypted data #85
Labels
No Label
architecture
backend
bug
feature
frontend
priority:critical
priority:high
priority:low
priority:medium
priority:nice-to-have
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/BillTracker#85
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug Description
When TOKEN_ENCRYPTION_KEY env var is not set, encryptionService.js auto-generates a random key and stores it in the user_settings table (_auto_encryption_key). This means the encryption key and the encrypted data (data_sources.encrypted_secret) are in the same SQLite file.
An attacker with database access gets both the key and the ciphertext.
Impact
Acceptable for the current threat model (filesystem access = game over regardless). But worth documenting for deployment documentation.
Recommended Fix
Document in deployment guide that TOKEN_ENCRYPTION_KEY should be set as an environment variable in production. Consider logging a warning when the auto-generated key is used.
closed v0.35.0